research-article

Robust bootstrapping memory analysis against anti-forensics

Authors:

BongNam NohAuthors Info & Claims

Digital Investigation: The International Journal of Digital Forensics & Incident Response, Volume 18, Issue S

Pages S23 - S32

https://doi.org/10.1016/j.diin.2016.04.009

Published: 07 August 2016 Publication History

Abstract

Memory analysis is increasingly used to collect digital evidence in incident response. With the fast growth in memory analysis, however, anti-forensic techniques appear to prevent it from performing the bootstrapping steps - operating system (OS) fingerprinting, Directory Table Base (DTB) identification, and obtaining kernel objects. Although most published research works try to solve anti forensics, they deal only with one element among the three steps. Thus, collapse in any of the three steps using the suggested robust algorithms leads to failure in the memory analysis. In this paper, we evaluate the latest memory forensic tools against anti-forensics. Then, we suggest a novel robust algorithm that guarantees the bootstrapping analysis steps. It uses only one kernel data structure called KiInitialPCR, which is a kernel global variable based on the kernel processor control region (KPCR) structure and has many fields with tolerance to mutation. We characterize the robust fields of the KPCR structure to use them for OS fingerprinting, DTB identification, and obtaining kernel objects. Then, we implement the KiInitialPCR-based analysis system. Therefore, we can analyze the compromised memory in spite of the interference of anti-forensics.

References

[1]

C. Betz, Memparser, 2005. http://www.dfrws.org/2005/challenge/memparser.shtml

[2]

M.I. Cohen, Characterization of the windows kernel version variability for accurate memory analysis, Digit Investig, 12 (2015) S38-S49. http://linkinghub.elsevier.com/retrieve/pii/S1742287615000109

Digital Library

[3]

Debug interface access sdk, https://msdn.microsoft.com/en-us/library/x93ctkx8.aspx (2015).

[4]

Dfrws 2005 forensics challenge, http://www.dfrws.org/2005/challenge/ (2005).

[5]

B. Dolan-Gavitt, A. Srivastava, P. Traynor, J. Giffin, Robust signatures for kernel data structures, in: ACM conference on computer and communications security (CCS), 2009, pp. 566.

Digital Library

[6]

Y. Gu, Y. Fu, A. Prakash, Z. Lin, H. Yin, OS-SOMMELIER: memory-only operating system fingerprinting in the cloud, in: ACM symposium on cloud computing (SoCC), 2012, pp. 5.

Digital Library

[7]

Y. Gu, Y. Fu, A. Prakash, Z. Lin, H. Yin, Multi-Aspect, Robust, Mem, 2 (2015) 380-394.

[8]

R. Harris, Arriving at an anti-forensics consensus: examining how to define and control the anti-forensics problem, Digit Investig, 3 (2006) 44-49.

Digital Library

[9]

A.T. Jake Williams, Add - complicating memory forensics through memory disarray, 2014. https://archive.org/details/ShmooCon2014-ADD-Complicating-Memory-Forensics-Through-Memory-Disarray

[10]

Z. Lin, MACE: high-coverage and robust memory analysis for commodity operating systems.

[11]

Z. Lin, J. Rhee, X. Zhang, D. Xu, X. Jiang, SigGraph: brute force scanning of kernel data structure instances using graph-based signatures, Proc. of 18th annual network & distributed system security symposium.

[12]

S. Mrdovic, A. Huseinovic, Forensic analysis of encrypted volumes using hibernation file, in: 2011 19th telecommunications forum, TELFOR 2011-Proceedings of papers, 2011, pp. 1277-1280.

[13]

F. Olajide, N. Savage, G. Akmayeva, C. Shoniregun, Digital forensic research - the analysis of user input on volatile memory of windows application, in: IEEE world congress on internet security (WorldCIS), 2012, pp. 231-238.

[14]

A. Prakash, E. Venkataramani, H. Yin, Z. Lin, Manipulating semantic values in kernel data structures: attack assessments and implications, Proceedings of the international conference on dependable systems and networks.

Digital Library

[15]

V. Roussev, I. Ahmed, T. Sires, Image-based kernel fingerprinting, Digit Investig, 11 (2014) S13-S21. http://linkinghub.elsevier.com/retrieve/pii/S1742287614000565

Digital Library

[16]

Z. Shuhui, W. Lianhai, Z. Ruichao, G. Qiuxiang, Exploratory study on memory analysis of Windows 7 operating system, in: ICACTE 2010-2010 3rd International Conference on Advanced Computer Theory and Engineering, vol. 6, 2010, pp. 373-377.

[17]

J. Stüttgen, M. Cohen, Anti-forensic resilient memory acquisition, Digit Investig, 10 (2013) 105-115.

Digital Library

[18]

H.S. Takahiro Haruyama, One-byte modification for breaking memory forensic analysis, 2012. https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf

[19]

The Rekall Team, The rekall memory forensic framework, 2015. http://www.rekall-forensic.com/

[20]

The Rekall Team, The rekall profile repository, 2015. https://github.com/google/rekall-profiles

[21]

The Volatility Foundation, Volatility foundation, 2015. http://www.volatilityfoundation.org/

[22]

S. Thomas, K.K. Sherly, S. Dija, Extraction of memory forensic artifacts from windows 7 RAM image, in: 2013 IEEE conference on information and communication technologies, ICT 2013 (ict), 2013, pp. 937-942.

[23]

R. Zhang, L. Wang, S. Zhang, Windows memory analysis based on KPCR, in: 5th international conference on information assurance and security, IAS 2009, vol. 2, 2009, pp. 677-680.

Digital Library

Cited By

Shukla SMisra MVarshney G(2020)Identification of Spoofed Emails by applying Email Forensics and Memory ForensicsProceedings of the 2020 10th International Conference on Communication and Network Security10.1145/3442520.3442527(109-114)Online publication date: 27-Nov-2020
https://dl.acm.org/doi/10.1145/3442520.3442527

Recommendations

Memory forensics

Traditionally, digital forensics focused on artifacts located on the storage devices of computer systems, mobile phones, digital cameras, and other electronic devices. In the past decade, however, researchers have created a number of powerful memory ...
Memory forensics and the Windows Subsystem for Linux
Abstract
The Windows Subsystem for Linux (WSL) was first included in the Anniversary Update of Microsoft's Windows 10 operating system and supports execution of native Linux applications within the host operating system. This integrated support ...
An Experimental Assessment of Inconsistencies in Memory Forensics
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming ...

Comments

Information & Contributors

Information

Published In

cover image Digital Investigation: The International Journal of Digital Forensics & Incident Response

Digital Investigation: The International Journal of Digital Forensics & Incident Response Volume 18, Issue S

August 2016

160 pages

ISSN:1742-2876

Issue’s Table of Contents

Copyright © The Author(s).

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 07 August 2016

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shukla SMisra MVarshney G(2020)Identification of Spoofed Emails by applying Email Forensics and Memory ForensicsProceedings of the 2020 10th International Conference on Communication and Network Security10.1145/3442520.3442527(109-114)Online publication date: 27-Nov-2020
https://dl.acm.org/doi/10.1145/3442520.3442527

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents